1 Nov 2025 06:22:12 Charpe, Anil <[email protected]>:
Hi,
It is about the
CVE-2025-55754<https://nvd.nist.gov/vuln/detail/CVE-2025-55754>
mentioned in the email subject.
I have a couple of question to confirm since when I googled it mentions
that - Yes, exploiting CVE-2025-55754 requires user interaction and
relies on an administrator running an interactive command console. So,
it is creating confusion and ambiguity as to what is exactly correct ?
Kindly clarify & confirm.
*
Is this CVE applicable only when there is an interactive console ?
Yes. If there is no console there is nothing for the ANSI escape
sequences to manipulate and therefore no opportunity to trick the
administrator.
I'll also add the the console must process ANSI escape sequences. Default
behaviour for this varies by windows version and whether the current user
is an administrator.
*
If there is interactive console but then if Tomcat is launched from
that console in altogether a separate Window just like a process
monitor, then will this CVE still be applicable ?
That would be the equivalent of running catalina.bat start rather than
catalina.bat run. The attack is still possible in that case but (even)
less likely as it will me more obvious to the administrator that they are
being tricked.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
